Massive British Airways data breach - what it means for you

British Airways has apologised after admitting that 100,000s of customers' payment details have been stolen over a period of 15 days in a massive data breach.

The airline revealed on Thursday 6 September that the personal and financial data of customers who made a booking – or updated a booking and made a payment – on BA.com or the BA app between 21 August 2018 and 5 September 2018 had been accessed. In total, about 380,000 cards were "compromised".

BA is now contacting all affected customers and instructing them to contact their banks or credit card providers and follow their advice. However, MoneySavingExpert.com's found card providers are taking different approaches, with some issuing all affected customers with new cards and others simply advising customers to watch for suspicious transactions.

What details have been taken?

BA says the data stolen included not only card numbers but also customers' card verification codes (CVCs) – the three digit number on the back, used as a security feature when you make payments that aren't in person.

I've been affected by the breach – what should I do?

You can also take the following steps to minimise the risk of being hit by fraud (see our 30+ Ways to Stop Scams guide for full help):

Check your bank or credit card transactions regularly. If you spot any unfamiliar or unusual activity, make sure you contact your bank immediately and let it know.

If worried, demand a new card. Banks and credit card firms are taking different approaches, but if yours isn't routinely replacing cards affected by this breach, you can ask for a replacement card anyway.

Beware of 'phishing scams'. Criminals may attempt to use the news of the data breach as an opportunity to trick people affected into revealing information. Remember that no bank or any other genuine organisation will contact you out of the blue to ask for details such as your PIN or banking password, and beware of clicking on any links in text messages or emails.

Change your British Airways login password. And if you use that password elsewhere, make sure you change it there too. It's good practice to use different passwords – see our Password Security guide for more help.

See if your card provider lets you get payment notifications. Some card providers, such as American Express, allow you to get notifications on your phone or tablet every time a payment is made on your card. This way you can see instantly when a payment goes out, if it's one you aren't expecting.

What are card providers doing?

Customers should not be left out of pocket by any fraudulent activity on their cards as a result of this data breach – if your card is charged, your card provider or bank should refund you.

We've asked the major high street banks and card providers what guidance they're giving to customers, and this is what they've told us so far:

Barclays, Santander, Monzo and Starling are issuing affected customers with new cards. In the meantime, you can continue to use your old card (though Barclays says you won't be able to use it online) and you should contact your bank if you spot any fraudulent activity.

American Express says customers should continue to use their cards as normal. It says if it spots unusual activity on your account which may be fraud, it will contact you, and if it verifies fraud has taken place, it will replace the card. You should also contact Amex if you spot any fraudulent activity on your card.

Bank of Scotland, Halifax, HSBC, Lloyds, Nationwide, NatWest, RBS, TSB and Ulster Bank have all told us that customers should continue to check their statements regularly and contact them if they see anything unusual – but they WON'T be routinely reissuing cards for all affected customers.

We've also contacted First Direct and will update this story when we hear back.

What are customers saying?

British Airways customers affected by the breach have been critical of the company – with some saying they were offered little guidance by the airline:

I booked a BA flight with a third party – am I affected?

Only customers who made a booking or change that required a payment on BA.com or the BA app between 21 August 2018 and 5 September 2018 are affected.

If you booked with a third party, BA says you won't have been affected.

What if I didn't make a payment – am I affected?

No, only customers who made or amended a booking which involved making a payment between the dates mentioned above are affected.

Has anyone lost money as a result of the breach?

BA says it can't comment on whether any customers have actually been victims of fraud or lost money as a result of the breach.

If you've been hit by fraud, contact your bank as your first port of call.

Is BA offering compensation?

The airline says no one will be left "out of pocket" due to the data breach, but in practice, if you're hit by fraud, go to your bank or credit card provider, as it will be responsible for refunding you.

BA's said it will deal with any claims for compensation arising from the breach on an "individual basis". All affected customers will also be offered a 12-month credit rating monitoring service – BA should be in touch with details of this in due course.

A legal firm called SPG Law says it plans to launch a 'group action claim' – a type of legal action where a number of people are represented by one firm – to get customers compensation from BA. At the moment it's unclear if it'll be successful, how long it'll take and what cut of any compensation awarded you would actually get.

'This simply isn't good enough'

"Yes, criminals are getting smarter which makes firms' jobs more difficult – but they need to put up every shield possible to stop this. BA's motto is 'to fly, to serve'. Well, it's clearly fallen short on the service in this case.

"Anyone who's made a booking with BA recently should keep a very close eye on their statements for suspicious transactions and change their passwords on other accounts if it's the same as on BA.com, just to be safe. Let your bank know immediately about any possible fraudulent transactions."

What does BA say?

BA said on Thursday evening: "British Airways is investigating, as a matter of urgency, the theft of customer data from its website, BA.com and the airline's mobile app. The stolen data did not include travel or passport details.

"The breach has been resolved and our website is working normally."

The airline said it was in the process of notifying affected customers and Alex Cruz, BA's chairman and chief executive, said he was "deeply sorry for the disruption that this criminal activity has caused".

Speaking to the BBC on Friday morning, Cruz added: "There was a very sophisticated, malicious criminal attack on our website. We became aware initially on that day, and we began to work on it. We discovered that something had happened, and immediately we began to work.

"We didn't know exactly [the] extent of the work, so overnight, the teams were trying to figure what was the extent of the attack."

What does the data watchdog say?

An Information Commissioner's Office spokesperson said: "British Airways has made us aware of an incident and we are making inquiries."

Have your say

This is an open discussion; anyone can post. Comments may be edited and are only published during the working day. Please report any spam or illegal, offensive, racist or libellous posts (incl username) to fbteam@moneysavingexpert.com.

Related Articles

A London commuter was shocked to find she'd overpaid by more than £700 for her year's travel after tapping in and out using the same debit card on different devices. If you use Apple Pay or another mobile payment device on the underground or trains in London, make sure you don't get caught out

Ryanair has written to MoneySavingExpert founder Martin Lewis insisting there is "no technical problem" which is resulting in passengers' names being automatically changed on bookings, despite us submitting a dossier detailing more than 160 reports of the issue

American Express cardholders will now have to wait TWO YEARS after cancelling a card in order to qualify for another welcome bonus – making it much more difficult for those who cycled between cards to earn its introductory offers.

TV streaming service Netflix had admitted showing some people who sign up to Netflix higher prices to understand how much potential customers "value" it - but it says nobody will actually pay the higher price

How this site works

We think it's important you understand the strengths and limitations of the site. We're a journalistic website and aim to provide the best MoneySaving guides, tips, tools and techniques, but can't guarantee to be perfect, so do note you use the information at your own risk and we can't accept liability if things go wrong.

This info does not constitute financial advice, always do your own research on top to ensure it's right for your specific circumstances and remember we focus on rates not service.

We don't as a general policy investigate the solvency of companies mentioned (how likely they are to go bust), but there is a risk any company can struggle and it's rarely made public until it's too late (see the Section 75 guide for protection tips).

Do note, while we always aim to give you accurate product info at the point of publication, unfortunately price and terms of products and deals can always be changed by the provider afterwards, so double check first.

We often link to other websites, but we can't be responsible for their content.

Always remember anyone can post on the MSE forums, so it can be very different from our opinion.

MoneySavingExpert.com is part of the MoneySupermarket Group, but is entirely editorially independent. Its stance of putting consumers first is protected and enshrined in the legally-binding MSE Editorial Code.